the data within your cookie is both encrypted and authenticated using state of the art cryptographic algorithms
various mechanism leveraging HTTP headers (HSTS, CSP, SameSite Cookie, X-XSS-Protection, X-Frame-Options, X-Content-Type-Options and X-Requested-With) to protect against an attacker trying to trick your browser into doing something nefarious
various other techniques which are left for the reader to discover by digging through the code
Nothing is kept server-side unless you use the share feature. In this scenario, Filestash keeps a persistent, encrypted version of your credentials.
Although Filestash server will not store your credentials, it does handle them and relevant data on a transaction basis, so it is best to run it in your Home zone, and failing that, in your Campus zone.
To increase security of your Filestash instance, pick Disposable Nodes which destroys themselves within a short timeframe e.g. once a day.